'Trojan mouse' was just a hint -- almost any hardware device that can be plugged into a computer can compromise its security

InfoWorld|Jul 5, 2011

Much of the computer security blogosphere was abuzz last week over NetraGard's clever hack of a client's network using a specially modified Logitech mouse USB mouse. The mouse contained firmware code that automatically launched when the socially engineered user plugged it in to his or her computer. The attack code simply dialed home to let NetraGard know it had been successful in penetrating the victim's network. Victory and success!

Many readers were unaware that hardware, especially a mouse, could be used to deliver auto-launching exploit code. But for others, this doesn't come as a surprise.

I developed my first USB virus nearly 7 years ago, when I was working for Foundstone. I figured out I could use hidden desktop.ini files to autolaunch any contained executable. It bypassed autorun- and Autoplay-blocking defense mechanisms. I had discovered that I could do this on a USB key, and my coworker at the time, Aaron Higbee, quickly moved my exploit to USB devices.

In short order, we had built a digital-camera roaming worm as a demo. It was a sweet day for discovery, although we both blew off the real work we'd been hired to do. Luckily, Foundstone was supportive of our efforts and told us to focus on further USB exploits. Ultimately, I was incredibly surprised to see, even heading into this year, USB-infecting vectors remain a major threat (although Microsoft's new default treatment of autorun and Autoplay has significantly diminished that risk).

IT security admins must understand that a computer can be compromised by almost any hardware device plugged into it. Hardware is hardware -- the instructions coded into it and its firmware takes precedence over software. When we talk trust boundaries in computer security, you always have to remember the hardware boundary must be discussed and defended. If I, as the attacker, can convince a victim to plug in some sort of hardware or if I plug it in myself, then it is, for all intense purposes, game over. If I can plug something into your USB, DMA, FireWire, and now mouse port, I'll likely succeed in carrying off a malicious action.

This isn't news. Thousands of people around the world have known this for a very long time. You shouldn't be any more worried about it today than you've been over the past two decades -- at least until these sorts of vectors start to become popularly exploited. Most bad actors don't need physical access to your machine for exploitative actions. The fake antivirus programs and malicious email links are still working quite well and infecting tens of millions of users.

If you are worried that your assets are at higher risk of physical attack, let this column be your wake-up call and show it to management.

You can take steps to protect yourself. End-user education is always worth trying. Let your end-users know that anything they plug into their computer could launch malicious code. That free USB key at the conference show? They shouldn't plug it in, nor should they attach free mice, free keyboards, or whatever if they are at elevated risk of physical attack.

System configurators can disable unneeded ports in the system's BIOS or within the controlling operating system. Disabling in the BIOS is better; that way, OS-boot-around attacks can't succeed. Unfortunately, you can't disable every port. Make sure all the normal antimalware and computer security defenses are enabled. You may not stop the initial compromise, but you might be able to detect or stop the subsequent actions.

And until better solutions are discovered, you will have to live with some amount of physical risk.

The reality is that most of us are facing far more malicious risk from far less sophisticated attacks. Good computer security defense is about evaluating your current threats and knowing which ones to concentrate on.